Software Development & Application Security

Overview and Objectives

This module on Software Development & Application Security focuses on integrating security into the software development lifecycle (SDLC) to create resilient applications from the ground up. In a world where software vulnerabilities lead to massive breaches (e.g., the 2024 CrowdStrike outage affecting millions), "secure by design" principles are essential. Students will work with code, pipelines, and tools to embed security practices, reducing risks like injection attacks or misconfigurations. By the end of this module, students will be able to:

• Apply fixes for the OWASP Top 10 vulnerabilities, incorporating best practices for common web app risks.
• Integrate SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) into CI/CD (Continuous Integration/Continuous Deployment) pipelines.
• Secure APIs and manage secrets effectively, using tools and strategies to protect sensitive data.

As of August 28, 2025, the OWASP Top 10 is on track for a 2025 update (expected late summer/early fall), building on the 2021 version with potential emphasis on AI/ML risks and supply chain security. Trends include AI-assisted scanning in CI/CD (used in 25% of pipelines) and zero-trust for APIs. OWASP ZAP's latest version is 2.16.1, with enhancements for automation and Edge browser support. GitLab CI/CD (version 18.x in 2025) embeds SAST/DAST natively, with new features like protected repositories and AI-driven vuln prioritization.

Estimated Time: 5-7 hours of lecture/discussion, plus coding labs (e.g., securing a sample app).

Prerequisites: Introduction to Programming, Cybersecurity Fundamentals.

Assessment Ideas:

• Quiz on OWASP risks and fixes.
• Project: Build a secure API with CI/CD pipeline, including SAST/DAST scans.
• Report: Analyze a 2025 breach (e.g., API-related) and propose SDLC improvements.

Key Concepts and Explanations

1. Secure SDLC (Software Development Lifecycle)

Secure SDLC (SSDLC) embeds security at every phase: Planning, Design, Implementation, Testing, Deployment, Maintenance. In 2025, best practices emphasize "shift left" (early security integration), security-first culture, and automation to address rising supply chain attacks.

• Why it matters: Traditional SDLC often treats security as an afterthought, leading to costly fixes (up to 100x more post-deployment).
• Implementation: Use frameworks like Microsoft SDL or NIST SSDF; include threat modeling in design and code reviews in implementation.
• Term to Explain: Shift Left – Incorporating security checks earlier in the SDLC (e.g., design phase) to identify issues before they propagate.

2. Applying OWASP Top 10 Fixes

The OWASP Top 10 lists the most critical web app security risks. The 2021 version (current as of August 2025, with 2025 update imminent) includes A01: Broken Access Control, A02: Cryptographic Failures, A03: Injection, etc. Predictions for 2025 highlight increased focus on known vulns and misconfigurations based on CVE data.

• Fixes: For Injection (A03), use prepared statements/ORMs; for Broken Access Control (A01), implement RBAC and IDOR checks.
• OWASP ZAP: A DAST tool for automated scanning. Version 2.16.1 supports API scanning and CI/CD integration.
• Term to Explain: IDOR (Insecure Direct Object References) – A vulnerability where users access unauthorized objects by manipulating identifiers (e.g., /user/123 to /user/456).

3. Integrating SAST/DAST in CI/CD

SAST analyzes source code statically for vulns; DAST tests running apps dynamically. In 2025, trends include AI-enhanced tools for fewer false positives and seamless CI/CD integration (e.g., in GitLab, GitHub Actions).

• GitLab CI/CD: Native support for SAST (e.g., via .gitlab-ci.yml with semgrep), DAST (ZAP proxy), and scans for dependencies/containers.
• Integration: Add jobs in pipelines (e.g., stages: [test] with SAST tools like SonarQube); fail builds on high-severity issues.
• Term to Explain: False Positive – A reported vulnerability that isn't actually exploitable, common in SAST; mitigated by tuning rules or AI.

4. Securing APIs and Managing Secrets

APIs are prime targets; OWASP API Security Top 10 (2023 version, no 2025 update yet) covers risks like Broken Object Level Authorization (BOLA).

• API Security: Use OAuth/JWT for auth, rate limiting, input validation; scan with ZAP or Postman.
• Secrets Management: Store keys, passwords securely. 2025 tools: HashiCorp Vault (centralized, with rotation), AWS Secrets Manager, Doppler (dev-friendly), GitLab Managed Secrets.
• Best Practices: Avoid hardcoding secrets; use env variables or vaults; scan for leaks with tools like TruffleHog.
• Term to Explain: BOLA (Broken Object Level Authorization) – Similar to IDOR, where APIs fail to check user permissions for accessed objects.

Visualizations Using Mermaid Script

Include these in lectures for visual aids; students can practice in Mermaid editors.

Visualization 1: Secure SDLC Phases

Flowchart of SSDLC stages with security integrations.

flowchart TD
    A[Planning: Requirements & Threat Modeling] --> B[Design: Secure Architecture & Reviews]
    B --> C[Implementation: Secure Coding & SAST]
    C --> D[Testing: DAST & Penetration Testing]
    D --> E[Deployment: CI/CD with Scans]
    E --> F[Maintenance: Monitoring & Patching]
    F --> A[Iterate]
    style A fill:#f9f,stroke:#333
    style F fill:#bbf,stroke:#333

Explanation in Class: Each phase includes security (e.g., SAST in code); discuss "shift left" by moving scans to earlier stages.

Visualization 2: GitLab CI/CD Pipeline with Security

Graph showing a sample pipeline.

graph LR
    A[Commit Code] --> B[Build Stage]
    B --> C[Test Stage: Unit Tests]
    C --> D[Security Stage: SAST Scan SonarQube]
    D --> E[Security Stage: DAST Scan OWASP ZAP]
    E --> F[Deploy Stage: If Scans Pass]
    F --> G[Monitor: Runtime Protection]
    style D fill:#ff9,stroke:#333
    style E fill:#ff9,stroke:#333

Explanation in Class: Highlight failure gates; integrate with GitLab's .yml for labs.

Visualization 3: OWASP Top 10 Risk Mapping

Mind map of categories (based on 2021, adaptable for 2025).

mindmap
  root((OWASP Top 10))
    A01["Broken Access Control"]
    A02["Cryptographic Failures"]
    A03["Injection"]
    A04["Insecure Design"]
    A05["Security Misconfiguration"]
    A06["Vulnerable Components"]
    A07["ID & Auth Failures"]
    A08["Software/Data Integrity"]
    A09["Logging/Monitoring Failures"]
    A10["SSRF"]

Explanation in Class: Link each to fixes; update with 2025 predictions (e.g., more on AI vulns).

Hands-On Activities and Examples

• Lab 1: Use OWASP ZAP 2.16.1 to scan a vulnerable app (e.g., Juice Shop) and apply Top 10 fixes in code.
• Lab 2: Set up GitLab CI/CD pipeline with SAST (Semgrep) and DAST (ZAP); manage secrets via GitLab variables.
• Case Study: Analyze the 2023 MOVEit API breach (exploited misconfigs); redesign with secure SDLC.
• Group Exercise: Secure a sample REST API with JWT and Vault for secrets; test in CI/CD.

Key Skills Development

• OWASP ZAP: Automate scans and baseline testing in labs.
• GitLab CI/CD: Configure .yml for security jobs; use 2025 features like AI vuln prioritization.
• SAST & DAST: Integrate tools like SonarQube (SAST), StackHawk (DAST) into pipelines.
• API Security: Apply OWASP API Top 10 mitigations; use tools like Postman for testing.
• Secrets Management: Implement Vault or Doppler; scan for leaks.
• Secure SDLC: Design full lifecycles with threat models.

Resources and Further Reading

• Books: "Secure by Design" by Dan Bergh Johnsson; "The DevOps Handbook" by Gene Kim.
• Online: OWASP.org (Top 10, ZAP docs); GitLab docs (CI/CD security); NIST SSDF.
• Videos: OWASP YouTube for Top 10 overviews; GitLab tutorials on DevSecOps.
• Tools: OWASP ZAP 2.16.1; GitLab (free tier); HashiCorp Vault; SonarQube Community.

Stay updated via OWASP announcements for the 2025 Top 10 release and sources like Dark Reading for trends. End with Q&A on explained terms.